Hauri reports a spear-phishing operation assessed as likely Kimsuky activity in which an attacker impersonated the South Korean Embassy in China to target a Seoul National University professor. The operator conducted natural back-and-forth email communication about a Korea-China and North Korea-China relations meeting, then delivered a password-protected RAR from Google Drive containing four HWP decoy documents and a malicious LNK file. When executed, the LNK searched for a shortcut of a specific size, dropped embedded HWP content as a decoy, generated an AES key, and attempted to download encrypted data from Dropbox at content.dropboxapi.com/2/files/download using the path /step5/ps.bin. The decrypted payload was assessed as capable of injecting malicious data into a normal file, stealing user information, or executing attacker commands, highlighting persistent target engagement and cloud-storage abuse in Kimsuky-style phishing.